|
Posted by Stephen J. Bevan on March 26, 2006, 8:53 pm
If you were Registered and logged in, you could reply and use other advanced thread options
pvsnmp@yahoo.com writes:
> Can someone tell me if the concept of proxyID in IKE Phase2 is from any
> RFC? If yes, which one is it?
The phrase "proxy ID" isn't explicitly used in the various IPsec
related RFCs. However, it was used by members of the the IPsec
mailing list and in various drafts of what became IPsec RFCs. For
example, the following section is taken from
draft-ietf-ipsec-isakmp-oakley-05.txt, section 5.6 titled "Phase 2-
Quick Mode" :-
If ISAKMP is acting as a proxy negotiator on behalf of another party
the identities of the parties MUST be passed as IDui and then IDur.
Local policy will dictate whether the proposals are acceptible for
the identities specified.
...
The proxy identities are used to identify and direct traffic
to the appropriate tunnel in cases where multiple tunnels exist
between two peers and also to allow for unique and shared SAs with
different granularities. Local policy will determine whether packets
which do not match the proxy information on which a tunnel was created
will be forwarded upon leaving the tunnel.
The language changed considerably by the time RFC 2408 and 2409 was
created and the above sections do not appear. The main references to
"proxy" left are in RFC 2408 section 4.1 :-
IDx is the identity payload for "x". x can be: "ii" or "ir"
for the ISAKMP initiator and responder, respectively, or x can
be: "ui", "ur" (when the ISAKMP daemon is a proxy negotiator),
for the user initiator and responder, respectively.
and RFC 2409 section 7.2 :-
The following payloads are exchanged in the first round of Quick Mode
with ISAKMP SA negotiation. In this hypothetical exchange, the ISAKMP
negotiators are proxies for other parties which have requested
authentication.
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map